Skip to main content
Edition No. 1

The Git Gazette

Your weekly repo roundup

·GoogleChrome/lighthouse·Last 7 days

Automated auditing, performance metrics, and best practices for the web.

8 commits16 PRs3 issues5 releases
Security Status
🟡

0 advisory recently patched.

See Patch Wiresec's report below for details.

Last checked: Apr 7, 2026

Patch Wiresec — info status
summarize

Lighthouse Ships v13.1.0, Fixes Breaking Changes, Preps OIDC Publishing

Here's what matters this week: 1 major release, 1 critical revert, and infrastructure prep that'll make future releases smoother.

Version 13.1.0 is live (#16948). Key addition: baseline compatibility audit for web standards tracking. Ships to Chrome 149 DevTools and PageSpeed Insights within two weeks. Clean release by @lusayaa with quick @paulirish approval.

Breaking change reverted (#16949). Network request type conversions introduced in #16943 broke Lightrider. @lusayaa caught and fixed this fast — verified with smokerider tests before merge. That's how you handle regression fixes.

Configuration behavior clarified (#14986). Empty arrays (onlyAudits: []) now throw specific errors instead of silently filtering everything. @connorjclark's fix prevents a common developer gotcha.

Worth watching: Experimental "agentic browsing" category landed (#16953) but stays disabled by default. Currently CLS-only, config at core/config/agentic-browsing-config.js. @paulirish commented but no approval yet — this one's still cooking.

Infrastructure upgrade: NPM trusted publishing setup in progress (#16944). Will replace manual npm credentials with OIDC tokens. Smart security move.

Bottom line: Solid maintenance release with one major new audit, plus quick fixes when things break. The Lighthouse team keeps shipping.

Sources: #16948, #16949, #14986, #16953, #16944, #16943
Tone:
1 tone change remaining
shield
The Security WireBy Patch Wiresec

Lighthouse Navigates Choppy CVE Waters with Historical Vulnerabilities

Wiresec Urgency Scale: 🚨 (1/5) — Historical references, no immediate action required

Field report from the Chrome DevTools perimeter: GoogleChrome/lighthouse has surfaced with references to two CVEs in recent pull request activity — CVE-2026-4800 and CVE-2021-23337. Before you sound the general alarm, these appear to be historical references rather than active threats against the current codebase.

CVE-2021-23337 is a known lodash prototype pollution vulnerability that sent shockwaves through the JavaScript ecosystem back in 2021. If these references are dependency-related cleanup work, that's exactly the kind of proactive security hygiene we like to see from a project this critical to the web performance monitoring ecosystem.

CVE-2026-4800 raises an eyebrow — that's a future year designation, which suggests either a typo, a testing reference, or documentation work. Without access to the specific PR context, I'm treating this as administrative rather than operational.

What's concerning is the absence of a SECURITY.md file in this high-profile repository. For a tool that audits web security best practices, Lighthouse should lead by example with clear vulnerability disclosure procedures. The repo shows zero unpatched vulnerabilities currently, which is reassuring, but transparency in security processes would complete the picture.

Action Item: Monitor for any security advisories related to these CVE references. Maintainers should consider establishing formal security documentation to match their stellar technical standards.

Current Threat Level: Green — historical housekeeping, not active vulnerabilities.

Sources: CVE-2026-4800, CVE-2021-23337
Tone:
1 tone change remaining
theater_comedy
The Drama DeskBy Rita Conflictsón

Empty Arrays Spark Philosophy Debate in Lighthouse Configuration Drama

BREAKING: What started as a simple bug report has evolved into an existential crisis about the meaning of empty arrays in issue #14986, and dear readers, the philosophical implications are chef's kiss.

Our protagonist @benschwarz filed what seemed like a straightforward complaint: setting onlyAudits, onlyCategories, and skipAudits to empty arrays returns unexpected results. But oh, what drama ensued!

Enter @connorjclark with the plot twist of the century: "This is working as expected." Gasps from the audience. The crux of the matter? onlyCategories: [] (empty array) versus onlyCategories: null (no value) are apparently as different as night and day. The former filters out everything, while the latter ignores the setting entirely.

But @benschwarz wasn't having it! "My expectation was a little bit different: Empty array = no values are set," they fired back. The philosophical divide was clear: Is an empty container the same as no container at all?

In a stunning turn of events, @connorjclark proposed a diplomatic solution: throw specific errors when developers pass empty arrays ("which is never useful") and generic ones when no audits survive the filtering gauntlet.

Seven comments later, this case was marked closed — but the existential questions linger on.

Sources: #14986
Tone:
1 tone change remaining
rate_review

A Release Week Retrospective: Version 13.1.0 and the Art of Agentic Innovation

This week's exhibition at the Lighthouse repository presents a fascinating study in the choreography of software evolution — where the mundane mechanics of version management dance alongside bold experimental ventures.

The centerpiece, naturally, is PR #16948's release of v13.1.0, orchestrated by @lusayaa with the practiced efficiency of a seasoned gallery curator. One observes the meticulous changelog additions spanning 56 lines — each entry a carefully cataloged artifact of progress, reviewed with swift approval by @paulirish. Such releases possess the understated elegance of a well-curated retrospective.

Yet the true avant-garde moment arrives with PR #16953's introduction of "agentic browsing" — a category so experimental it remains hidden from default configurations like a controversial installation piece. The phrase "may be subject to change" carries the delicious uncertainty of emerging artistic movements. That it currently runs only CLS metrics suggests an artist still finding their medium.

Meanwhile, the supporting acts demonstrate their own quiet virtues: PR #16954's documentation refinements (a single character change in version scripts — minimalism at its finest), and the merged PR #16949's reversion of network request changes, proving that sometimes the most elegant solution is admitting when one has overreached.

The dependabot submissions cluster like eager apprentices, though one notes their lodash updates sit patiently awaiting approval — even automation must queue for the master's attention.

Adequate.

Sources: #16948, #16953, #16954, #16949
Tone:
1 tone change remaining
sailing
The Shipping ForecastBy Captain Semver

Fair Winds and Following Releases: Lighthouse v13.1.0 Drops Anchor

SHIPPING FORECAST, issued Tuesday 0900 UTC: Steady sailing conditions across the Lighthouse waters as v13.1.0 made port on April 7th, helmed by @lusayaa with favorable winds.

Conditions report shows a minor release system moving northeast — patch-level changes with one significant new feature making landfall. The baseline compatibility audit (#16904) has been brought aboard, offering navigational assistance for web compatibility charting. All hands welcome new crew member Iaroslav Shvets (@iaroslavshvets) to the vessel.

Barometric pressure remains stable following the recent patch squall — v13.0.3 on February 11th corrected the npm package manifest after @paulirish spotted publishing irregularities in the previous watch. The February 10th v13.0.2 deployment by @TravenReese brought hreflang updates (#16829) and new robots-txt directives (#16767) into the ship's logs.

Looking astern, the major v13.0.0 hurricane system made significant alterations to the vessel's performance audits back in October, with @connorjclark at the helm during that substantial weather pattern.

Current forecast: Light variable winds with Chrome 149 DevTools integration expected within the fortnight. PageSpeed Insights deployment following standard two-week harbor approach. Recent commit activity shows steady maintenance work — dependency upgrades (#16943) and test modernization efforts keeping the ship seaworthy.

All vessels advised: Navigation charts updated, fair weather holding.

Sources: #16904, #16829, #16767, #16771, #16943, #16948, #16949
Tone:
1 tone change remaining
group
Community PulseBy Flo Stargazer

Lighthouse Community Shines Bright with Fresh Faces and Steady Contributors

What a stellar week for the Lighthouse community! The repository is absolutely humming with activity — we saw 29 unique contributors this week, which shows this performance auditing powerhouse continues to attract both seasoned developers and fresh talent.

I'm especially excited to welcome some new faces who jumped into the action this week, including @TravenReese who made a meaningful contribution with baseline icons in #16927. It's always thrilling to see first-time contributors tackle substantial features rather than just typo fixes — though those are valuable too!

Our community stalwarts @lusayaa and @paulirish have been particularly active, with @lusayaa handling release duties in #16948 and #16954, while @paulirish kept our testing infrastructure humming with modernization work in #16939. This kind of steady maintenance work is the backbone of any healthy project.

The numbers tell a great story: 7 push events, 4 pull requests, and a healthy mix of forks and watches show that Lighthouse continues to grow its developer base. With over 30k stars and nearly 10k forks, this isn't just a popular tool — it's a community-driven ecosystem.

What strikes me most is the balance: we're seeing both infrastructure improvements and user-facing features like the baseline audit enhancements. That's the sign of a mature project that hasn't forgotten its mission to help developers build better web experiences.

Sources: #16954, #16948, #16949, #16943, #16939, #16927, #16937
Tone:
1 tone change remaining

Explore GoogleChrome/lighthouse further

Discover
Find Alternatives
Head-to-head
Compare with another repo